Over 700,000 OpenSSH servers found susceptible to distant code execution, identified as CVE

Over 700,000 OpenSSH servers found susceptible to distant code execution, identified as CVE

In a recent report by Qualys, over 700,000 OpenSSH servers are at risk due to the vulnerability CVE-2024-6387. This critical remote unauthenticated code execution (RCE) flaw is caused by a signal handler race condition in OpenSSH's server (sshd), posing a significant security risk.

Technical Details

The vulnerability arises from a race condition in handling signals in sshd, primarily affecting glibc-based Linux systems. It is a regression of a previous vulnerability (CVE-2006-5051), meaning the flaw was fixed before but was reintroduced inadvertently in OpenSSH versions starting from 8.5p1 (October 2020) up to 9.7p1. This flaw allows unauthenticated attackers to remotely gain root-level code execution privileges, making it extremely dangerous. Affected OpenSSH versions are all server versions ≥ 8.5p1 and < 9.8p1 on glibc-based Linux systems.

Impacted Systems

Most glibc-based Linux systems with vulnerable OpenSSH versions are affected, along with some 32-bit Linux systems in controlled exploit demonstrations (more common on Linux; no confirmed widespread impact on macOS or Windows OpenSSH servers). Windows systems running OpenSSH are not documented as impacted at this time. macOS uses different libc implementations and appears unaffected based on available reports.

Mitigation Steps

1. Update OpenSSH

Upgrade OpenSSH to version 9.8p1 or later, where this vulnerability is patched. Linux distributions and vendors (e.g., Debian, SuSE, VMware) have released patches or statements advising upgrading.

2. Workarounds (if upgrading is delayed)

• Set to 0 in the sshd configuration file (). This disables the grace time window during which the vulnerability can be exploited but may cause Denial of Service risks by immediately disconnecting unauthenticated sessions.
• Restrict SSH access to trusted networks or use firewall rules to limit exposure until patched.

3. Platform-specific notes

• Linux: Immediate upgrade and applying workarounds if patch cannot be applied instantly.
• macOS: No confirmed impact; users should monitor Apple security advisories and update SSH/OpenSSH if Apple releases a patch.
• Windows: OpenSSH on Windows appears unaffected; standard best practices apply—update OpenSSH versions regularly and restrict SSH access.

Summary

| Aspect | Details | |---------------------|-------------------------------------------| | Vulnerability Type | Remote unauthenticated root RCE via signal handler race condition | | Affected OpenSSH | Versions 8.5p1 through 9.7p1 on glibc-based Linux | | Impacted Systems | Linux (glibc-based), some 32-bit Linux; macOS/Windows not confirmed vulnerable | | Fix Available | OpenSSH 9.8p1 and later | | Workaround | in (denial of service risk) | | Recommended Action | Immediate upgrade of OpenSSH server |

Due to the seriousness and ease of exploitation, upgrading OpenSSH promptly on Linux servers exposed to the internet is strongly advised. Other platforms should stay updated and monitor vendor advisories.

Exploits of CVE-2024-6387 could facilitate network propagation, allowing attackers to use a compromised system as a foothold to traverse and exploit other vulnerable systems within the organization. This could result in complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access, as stated by Bharat Jogi, senior director of Qualys threat research unit.

The vulnerability likely exists in macOS and Windows, but exploitability on those systems hasn't been confirmed. Qualys researchers have dubbed this vulnerability "regreSSHion." Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, aiming to answer the question: Are we a target? (From Trendline) The evolving role of CISOs involves helping corporate stakeholders better understand the risk calculus of their technology stacks. (From Trendline) The vulnerable versions of OpenSSH include 8.5p1 up to 9.7p1, and the latest available update, version 9.8p1, fixes the vulnerability. Threat researchers published technical details of the vulnerability on Monday. The vulnerability in OpenSSH's server, if exploited, allows unauthenticated remote code execution as root on glibc-based Linux systems. Qualys encourages enterprises to mitigate risk by applying the latest version of OpenSSH and limiting access through network-based controls.

1. The current vulnerability in OpenSSH, named regreSSHion, is a remote unauthenticated root RCE, arising from a signal handler race condition affecting glibc-based Linux systems.
2. To mitigate the risk of exploitation, enterprises are advised to update their OpenSSH servers to version 9.8p1 or later, or set the parameter in the sshd configuration file to 0, though this may cause Denial of Service risks.
3. Firewall rules can also be used to restrict SSH access, especially on trusted networks, as a temporary measure until the patches are applied.
4. The importance of network security in data-and-cloud-computing is highlighted, as a successful exploitation of the CVE-2024-6387 vulnerability could facilitate network propagation, leading to system takeovers, malware installation, data manipulation, and persistent backdoor creation.

Read also: